The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): Multiple scripts, including check_freebusy.sh, create_timeoff.sh, list_events.sh, and update_event.sh, interpolate user-provided date and time strings directly into a Python command executed via python3 -c. This allows an attacker to inject arbitrary Python code by including single quotes and semicolon-separated commands to breakout of the string literal and execute shell commands. Evidence in check_freebusy.sh: START_TIMESTAMP=$(python3 -c "... datetime.strptime('$START_DATE ...', ...)").
[EXTERNAL_DOWNLOADS] (MEDIUM): Every script in the skill attempts to execute a token refresh script located in a sibling directory (../../feishu-tasks/scripts/refresh_token.sh). This creates a dependency on an external, unverifiable skill and introduces a supply-chain attack vector where a malicious sibling skill could gain execution rights.
[DATA_EXFILTRATION] (MEDIUM): The skill reads OAuth tokens directly from ~/.feishu-credentials.json. While necessary for the skill's purpose, this access to the home directory is sensitive and could be abused to exfiltrate session tokens if the RCE vulnerability is exploited.
[COMMAND_EXECUTION] (LOW): Scripts such as create_event.sh and add_attendee.sh construct JSON payloads for curl using raw shell variable interpolation. This is vulnerable to JSON injection, allowing an attacker to manipulate the API request structure by providing inputs containing double quotes.

feishu-calendar